To gitea and beyond, let's go(-yco)

2025-11-10 19:12:09 +01:00
parent 8f6133392d
commit 71a031342b
245 changed files with 83994 additions and 0 deletions
--- a/internal/e2e/user_test.go
+++ b/internal/e2e/user_test.go
@@ -0,0 +1,179 @@
+package e2e
+
+import (
+	"net/http"
+	"testing"
+)
+
+func TestE2E_UserDirectory(t *testing.T) {
+	ctx := setupTestContext(t)
+
+	t.Run("user_directory", func(t *testing.T) {
+		users := ctx.createMultipleUsersWithCleanup(t, 3, "user", "StrongPass123!")
+
+		authClient := ctx.loginUser(t, users[0].Username, users[0].Password)
+
+		usersResp := authClient.GetUsers(t)
+		if len(usersResp.Data.Users) < 3 {
+			t.Errorf("Expected at least 3 users, got %d", len(usersResp.Data.Users))
+		}
+
+		for _, user := range usersResp.Data.Users {
+			if user.Username == "" {
+				t.Errorf("Expected username to be present, got empty string")
+			}
+		}
+	})
+}
+
+func TestE2E_ProfileManagement(t *testing.T) {
+	ctx := setupTestContext(t)
+
+	t.Run("profile_management", func(t *testing.T) {
+		createdUser, authClient := ctx.createUserAndLogin(t, "testuser", "StrongPass123!")
+
+		profile := authClient.GetProfile(t)
+		assertUserResponse(t, profile, createdUser)
+	})
+}
+
+func TestE2E_ProfileAccessAuthorization(t *testing.T) {
+	ctx := setupTestContext(t)
+
+	t.Run("profile_access_authorization", func(t *testing.T) {
+		createdUsers := ctx.createMultipleUsersWithCleanup(t, 2, "profileuser", "StrongPass123!")
+		user1 := createdUsers[0]
+		user2 := createdUsers[1]
+
+		authClient1 := ctx.loginUser(t, user1.Username, user1.Password)
+		authClient2 := ctx.loginUser(t, user2.Username, user2.Password)
+
+		user2CurrentUsername := user2.Username
+
+		t.Run("users_only_see_own_profile_via_me_endpoint", func(t *testing.T) {
+			profile1 := authClient1.GetProfile(t)
+			if profile1.Data.ID != user1.ID {
+				t.Errorf("User1's /api/auth/me shows wrong ID: expected %d, got %d", user1.ID, profile1.Data.ID)
+			}
+			if profile1.Data.Username != user1.Username {
+				t.Errorf("User1's /api/auth/me shows wrong username: expected '%s', got '%s'", user1.Username, profile1.Data.Username)
+			}
+			if profile1.Data.Email != user1.Email {
+				t.Errorf("User1's /api/auth/me shows wrong email: expected '%s', got '%s'", user1.Email, profile1.Data.Email)
+			}
+
+			profile2 := authClient2.GetProfile(t)
+			if profile2.Data.ID != user2.ID {
+				t.Errorf("User2's /api/auth/me shows wrong ID: expected %d, got %d", user2.ID, profile2.Data.ID)
+			}
+			if profile2.Data.Username != user2.Username {
+				t.Errorf("User2's /api/auth/me shows wrong username: expected '%s', got '%s'", user2.Username, profile2.Data.Username)
+			}
+			if profile2.Data.Email != user2.Email {
+				t.Errorf("User2's /api/auth/me shows wrong email: expected '%s', got '%s'", user2.Email, profile2.Data.Email)
+			}
+
+			if profile1.Data.ID == profile2.Data.ID {
+				t.Errorf("User1 and User2 profiles should have different IDs via /api/auth/me, but both show %d", profile1.Data.ID)
+			}
+			if profile1.Data.Username == profile2.Data.Username {
+				t.Errorf("User1 and User2 profiles should have different usernames via /api/auth/me, but both show '%s'", profile1.Data.Username)
+			}
+			if profile1.Data.Email == profile2.Data.Email {
+				t.Errorf("User1 and User2 profiles should have different emails via /api/auth/me, but both show '%s'", profile1.Data.Email)
+			}
+		})
+
+		t.Run("users_cannot_modify_other_users_email", func(t *testing.T) {
+			originalProfile1 := authClient1.GetProfile(t)
+			originalEmail1 := originalProfile1.Data.Email
+
+			ctx.server.EmailSender.Reset()
+			statusCode := authClient2.UpdateEmailExpectStatus(t, uniqueEmail(t, "newemail2"))
+			if statusCode != http.StatusOK {
+				t.Errorf("Expected User2 to be able to update their own email with status 200, got %d", statusCode)
+			}
+
+			verificationToken := ctx.server.EmailSender.VerificationToken()
+			if verificationToken != "" {
+				ctx.confirmEmail(t, verificationToken)
+			}
+
+			updatedProfile1 := authClient1.GetProfile(t)
+			if updatedProfile1.Data.Email != originalEmail1 {
+				t.Errorf("User2 updating their own email should not affect User1's email. Expected '%s', got '%s'", originalEmail1, updatedProfile1.Data.Email)
+			}
+		})
+
+		t.Run("users_cannot_modify_other_users_username", func(t *testing.T) {
+			originalProfile1 := authClient1.GetProfile(t)
+			originalUsername1 := originalProfile1.Data.Username
+
+			user2CurrentUsername = uniqueUsername(t, "newusername2")
+			authClient2.UpdateUsername(t, user2CurrentUsername)
+
+			updatedProfile1 := authClient1.GetProfile(t)
+			if updatedProfile1.Data.Username != originalUsername1 {
+				t.Errorf("User2 updating their own username should not affect User1's username. Expected '%s', got '%s'", originalUsername1, updatedProfile1.Data.Username)
+			}
+
+			updatedProfile2 := authClient2.GetProfile(t)
+			if updatedProfile2.Data.Username == originalUsername1 {
+				t.Errorf("Expected User2's username to be updated, but it's still '%s'", originalUsername1)
+			}
+		})
+
+		t.Run("users_cannot_modify_other_users_password", func(t *testing.T) {
+			baselineAuthClient1 := ctx.loginUser(t, user1.Username, "StrongPass123!")
+			if baselineAuthClient1.Token == "" {
+				t.Fatalf("User1 should be able to login with original password before User2's update")
+			}
+
+			authClient2.UpdatePassword(t, "StrongPass123!", "NewPass456!")
+
+			newAuthClient1 := ctx.loginUser(t, user1.Username, "StrongPass123!")
+			if newAuthClient1.Token == "" {
+				t.Errorf("User1 should still be able to login with original password after User2 updates their own password")
+			}
+
+			profile1After := newAuthClient1.GetProfile(t)
+			if profile1After.Data.Username != user1.Username {
+				t.Errorf("User1's username should remain unchanged after User2's password update. Expected '%s', got '%s'", user1.Username, profile1After.Data.Username)
+			}
+		})
+
+		t.Run("user1_updates_dont_affect_user2", func(t *testing.T) {
+			authClient2 = ctx.loginUser(t, user2CurrentUsername, "NewPass456!")
+			originalProfile2 := authClient2.GetProfile(t)
+			originalUsername2 := originalProfile2.Data.Username
+
+			authClient1.UpdateUsername(t, uniqueUsername(t, "newusername1"))
+
+			updatedProfile2 := authClient2.GetProfile(t)
+			if updatedProfile2.Data.Username != originalUsername2 {
+				t.Errorf("User1 updating their own username should not affect User2's username. Expected '%s', got '%s'", originalUsername2, updatedProfile2.Data.Username)
+			}
+
+			updatedProfile1 := authClient1.GetProfile(t)
+			if updatedProfile1.Data.Username == originalUsername2 {
+				t.Errorf("Expected User1's username to be updated, but it's still '%s'", originalUsername2)
+			}
+		})
+
+		t.Run("profiles_remain_isolated_after_updates", func(t *testing.T) {
+			authClient2 = ctx.loginUser(t, user2CurrentUsername, "NewPass456!")
+			finalProfile1 := authClient1.GetProfile(t)
+			finalProfile2 := authClient2.GetProfile(t)
+
+			if finalProfile1.Data.ID == finalProfile2.Data.ID {
+				t.Errorf("After all updates, User1 and User2 should still have different IDs, but both show %d", finalProfile1.Data.ID)
+			}
+			if finalProfile1.Data.Username == finalProfile2.Data.Username {
+				t.Errorf("After all updates, User1 and User2 should still have different usernames, but both show '%s'", finalProfile1.Data.Username)
+			}
+			if finalProfile1.Data.Email == finalProfile2.Data.Email {
+				t.Errorf("After all updates, User1 and User2 should still have different emails, but both show '%s'", finalProfile1.Data.Email)
+			}
+		})
+	})
+}